In upcoming testimony before the House Homeland Security Committee, I'll be assessing the Department of Homeland Security, with particular focus on cybersecurity. Probably the most important point I'll be making is a simple one: We will never defend our way out of the current cybersecurity crisis. That's because putting all the burden of preventing crime on the victim rarely succeeds.
The obvious alternative is to identify the attackers and punish them. Many information security experts have given up on this approach. As they point out, retribution depends on attribution, and attribution is difficult; attackers can hop from country to country and from server to server to protect their identities.
I think this skepticism is outmoded, however. Our intelligence on cyberattacks has gotten a lot better. Investigators no longer need to trace each hop the hackers take. Instead, they can find other ways to compromise and then identify the attackers, either by penetrating hacker networks directly or by observing their behavior on compromised systems and finding behavioral patterns that uniquely identify the attackers.
No one can function in cyberspace without dropping bits of identifying data here and there. If the good guys' security is inherently flawed, so is the bad guys'. If we exploit their bad security systematically, we should be able to put attribution -- and retribution -- back at the center of our response to cyberattacks.
Since nothing else is likely to work, we need to pursue this possibility with vigor. We should take the offense, surrounding and breaking into hacker networks to gather information about what they're stealing and who they're giving it to. That kind of information will help us prosecute criminals and embarrass state-sponsored attackers. It will also allow us to tell the victim of an intrusion with some precision who is in his network, what they want, and how to stop them. DHS's intelligence analysis arm should be issuing more such reports and fewer bland generalities about terrorism risks for local law enforcement agencies.
If we're going to do this, though, we can't rely exclusively on government. Sure, governments have resources and authorities beyond those of any single company. But in aggregate, it's the private sector that is losing the most and that has the most resources to put into locating and punishing the attackers. In my private practice, I advise a fair number of companies who are fighting ongoing intrusions, often at a cost of $50 or $100 thousand a week. The money they are spending is going almost entirely to defensive measures. At the end of the process, they may succeed in getting the intruder out of their system. But the next week the same intruder may get another employee to click on a poisoned link and the whole process will begin again.
It’s a treadmill. Like me, these companies see only one way off the treadmill: to track the attackers, figure out who they are and who's buying the stolen information, and then to sanction the attackers and their customers. This view is starting to emerge into the light. When private companies’ cybersecurity executives were surveyed recently, “more than half thought their companies would be well served by the ability to ‘strike back’ against their attackers.” W. Fallon, Winning Cyber Battles Without Fighting, Time (Aug. 27, 2012).
And the FBI’s top cybersecurity lawyer just this week called our current strategy a “failed approach” and urged that the government enable hacking victims “to detect who’s penetrating their systems and to take more aggressive action to defend themselves.” Washington Post (Sep. 17, 2012).
He’s right. But under the Computer Fraud and Abuse Act -- especially as it's been administered by the Justice Department's Computer Crime and Intellectual Property Section, or CCIPS -- there are doubts about how far a company can go in hacking the hackers. I happen to think that some of those doubts are not well-founded, but only a very brave company would ignore them.
Now there's no doubt that US intelligence and law enforcement agencies have the authority to respond to hacks of US companies by breaking into the networks of suspected hackers and gathering information there. But by and large they don't.
Why not? Because complaining to the FBI and CCIPS about even a state-sponsored intrusion is like complaining to the DC police that someone stole your bicycle. You might get a visit from the local office; you might get their sympathy; you might even get advice on how to protect your next bicycle. What you won't get is a serious investigation. There are just too many crimes that have a higher priority.
In my view, that's a mistake. The Department, drawing on the resources of the entire government, should do some full-bore criminal and intelligence investigations of private sector intrusions, especially those that appear to be state-sponsored. We need to show that we can identify the attackers, and that we can make them pay.
But that solution won't scale, at least not when most of the Fortune 500 are probably under attack right now. If we want to use retribution and attribution broadly, we have to let the victims participate in, and pay for, many of these investigations.
Until recently, too many government officials have viewed such private countermeasures as the equivalent of vigilante justice. In my view, that just shows their lack of imagination. In the real world, if someone stops making payments on a car loan but keeps the car, the lender doesn't call the police. He hires a repo man. In the real world, if your child is kidnapped and the police aren't making the investigation a priority, you hire a private investigator. And, if I remember correctly the westerns I watched growing up, if a gang robs the town bank and the sheriff finds himself outnumbered, he deputizes a posse of citizens to help him track the robbers down.
Not one of those solutions is the equivalent of a lynch mob or of vigilante justice. Every one allows the victim to supplement law enforcement while preserving social control and oversight.
We need a corps of digital repo men and investigators that the private sector can deploy in a battle that the US government alone is losing. Of course we need to make sure this corps is regulated and can be sanctioned for excesses, as we do with repo men and investigators. But that's not hard to achieve. In fact, DHS could probably experiment with such a solution tomorrow if it chose, as could the FBI. Law enforcement agencies often have probable cause for a search warrant or even a wiretap order aimed at cyberintruders. Sometimes they use contractors to help them carry out a particularly technical search. So why don't they simply obtain a lawful intercept or search warrant aimed at a sophisticated hacker and turn the execution of the warrant over to a private contractor paid for by the victim and supervised by the agency? As long as it happens under government supervision, I can't think of any legal barrier to doing that tomorrow. (I recognize that the Antideficiency Act arguably prohibits the government from accepting free services, but it has more holes in it than my last pair of hiking socks, including exceptions for protection of property in emergencies and for gifts that also benefit the donor, so I doubt it will be a serious limitation.)
If systematic looting of America's commercial secrets truly is a crisis, and I believe that it is, why have we not already unleashed the creativity and resources of the private sector that is suffering the most direct harm?
While collected data on attackers has increased, it remains narrowly focused on the TTPs of low-medium level hacker crews. We don't have an equivalent level of data about acts of cyber espionage from foreign intelligence services or their agents via multiple channels that are ignored by gov't and private sector security firms (i.e., in-country ICT infrastructure, vendors, insiders, social engineering). Therefore, since we can't know sufficient data about who will attack, when, or how, companies and gov't need to treat their critical data differently and completely reject the concept that we can keep an adversary out of our network. What we can do, however, is keep critical data from leaving. Therefore, improved defensive strategies must remain part of any future cyber security framework and offensive actions must only be initiated when attribution passes certain analytic tests applied not by DHS, DOD or the private sector but by trained analysts in the IC where more rigorous analysis is conducted.
Posted by: Jeffreycarr | Sep 18, 2012 at 07:49 PM
Stewart, I like the deputizing method for cyber attacks.
Create a market based solution for the problem, post a 'scalp' price w/ associated documentation (with in a public or closed private forum)
Jeffrey: this won't work at scale: "when attribution passes certain analytic tests applied not by DHS, DOD or the private sector but by trained analysts in the IC where more rigorous analysis is conducted."
there just simply isn't enough trained manpower or funds
++ companies need to take more control over their infrastructure by seeing the source code in their systems versus just assuming its secure because a company said so
Posted by: John Scott | Sep 18, 2012 at 08:22 PM
Jeffreycarr is right that we still lack a lot of data about our attackers. But our insight into attacker TTPs has opened up intelligence-gathering possibilities that could lead to the data we now lack. And it's true that we can't keep attackers out so we need to find new ways to protect crucial data. I don't see a contradiction in pursuing both priorities.
I'm not sure I'd draft the IC to decide when offensive action is warranted, for the reason John Scott gives. But the IC should certainly be part of the process of developing standards for what private sector investigators should be allowed to do under what circumstances.
Posted by: Stewart Baker | Sep 19, 2012 at 05:30 AM
Hi Stewart, private investigators aren't trained intel analysts, meaning that they don't know how to vet source material using analytic models nor do they apply negative analysis before making a pronouncement about attribution. So technically, no true analysis is being done by private investigators.
And, with respect, I've been intimately involved with incident response w/ breaches impacting Fortune 100 companies and can tell you with certainty that TTPs will not lead to "the data that we now lack". For one thing, researchers see what they are mean't to see by the attacker. For another, the only groups that have been identified are aliases for 20 or so hacker crews. We have yet to concretely pin an attack on an FIS or nation state unless that state has overtly claimed responsibility for it.
Advocating for offensive actions by private companies is like putting weapons of mass destruction in the hands of children. Poor intelligence analysis leading to failures happens by trained analysts on a regular basis. In at least one case, it led us into a Trillion-dollar war. Can you imagine the potential for wide-spread disruption if companies who think they know who attacked them strike back at the wrong nation state? That's a gamble that we don't need to take when a better defensive strategy will render most attacks impotent.
Posted by: Jeffreycarr | Sep 19, 2012 at 11:44 AM
Jeffrey,
I think you're wrong on many levels. Here are three.
1. I've worked with plenty of contractors who focus on cyber, and some of them are as good or better than the "trained intel analysts" who do it inside government. Some of them probably were "trained intel analysts" before going to a contractor, and some of them probably have probably continued to do such analysis on contract to the government. There is no magic priesthood in government that Knows More Than The Rest of Us on this topic.
2. TTPs by themselves aren't all that we need. If they were, we wouldn't need to pursue attribution. But they demonstrate that pursuing attribution is not a fool's errand. We now know much more about the bad guys than we did five years ago. That strongly suggests that, with effort, we'll know much more five years from now. But we need to put resources into that effort, more resources and more imagination than the government can muster today.
3. And, with respect, your "WMD in the hands of children" line tells me that you want to argue with a straw man. This is a pretty common approach among CCIPS alumni; they have difficulty imagining any counterhack that doesn't involve frying adversary computers, followed closely by the deaths of patients in the intensive care unit that the computers support, or some equally outlandish hypothetical.
Where in my piece do you see a suggestion that private sector investigators should have authority to "strike back at nation states"? I'm talking about authorizing activities like conducting on line investigations, evidence gathering, identifying the companies that are actually benefiting from the hacks so they can be sued, and depriving them of the benefits of what they've stolen. It's not hard distinguish between those activities and an ICU-melting "strike". Yet defenders of the old CCIPS conventional wisdom can't seem to talk about this problem for five minutes without invoking visions of vigilante hackers engaged in random meltdowns of half-identified computers. Frankly, invoking that vision is the cyber equivalent of invoking Hitler in an online debate -- simply proof that you've already lost.
Posted by: Stewart Baker | Sep 19, 2012 at 09:31 PM
You do propose that offensive capabilities be given to the private sector. You may not intend for those capabilities to be used in the extreme but you believe that some latitude is possible, correct? My position is that I have yet to see any evidence that InfoSec companies can determine attribution that's any better than 50/50 guesswork. In my opinion, that's not good enough to give them any latitude in attacking someone else's computer.
We probably too far apart in our respective positions to come to an agreement via a blog post but thanks for providing a forum for engagement and discussion.
Posted by: Jeffreycarr | Sep 20, 2012 at 11:53 AM
There you go again. "Offensive capabilities" is a vague and sinister category that could include everything from breaking into networks and destroying hard drives to letting bad guys steal files that will phone home when they're opened by the thief. Why in the world would we fail to distinguish between destroying computers and exploiting them for evidence? The discourse on this question should also distinguish between the two -- unless one is trying to confuse the debate.
If I understand your position, it can be summarized as follows: The private sector can't do conclusive attribution today. So we should never allow them to engage in hacking for the purpose of conclusive attribution.
I don't buy it. But I will buy you a beer some day for a longer conversation.
Posted by: stewart baler | Sep 20, 2012 at 02:37 PM
I'd be honored to accept. Thanks, Stewart!
Posted by: Jeffreycarr | Sep 20, 2012 at 04:29 PM